[Zope] Security doubt

Jamie Heilman jamie@audible.transient.net
Fri, 6 Jun 2003 11:36:48 -0700

Oliver Bleutgen wrote:
> Common wisdom seems to be to filter out .*manage.* requests in
> apache (search the mailing lists for that).

Sadly if you want 100% coverage filtering on 'manage' alone won't cut
it thanks to
a) management interfaces that don't use manage anywhere
   in the name like ZCacheable_*
b) type coercion done through POST requests which seems basically
   impossible to filter out using apache

Zope will have to be patched or a new product will have to be written
to enforce secure management.

Jamie Heilman                   http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
 to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
 I liked you better when you weren't saying squat kid."	-Buddy